I have been struggling to get a network policy in place that does the following:
-
Only allows pods/services within the same namespace to communicate with one another (a pod in namespace A CANNOT talk to a pod in namespace B) - i.e. namespace isolation
-
Allow access from the outside via the ingress controller running in namespace ingress-nginx
My network policy looks like:
kind: NetworkPolicy
metadata:
name: allow-same-namespace
namespace: bjmtest
spec:
podSelector: {}
policyTypes:
- Ingress
ingress: - from:
- namespaceSelector:
matchLabels:
name: ingress-nginx - namespaceSelector:
matchLabels:
name: bjmtest
- namespaceSelector:
Basically I want the policy to apply to all pods in the namespace and I want pods with a namespace label “name: ingress-nginx” OR pods with a namespace label “name: bjmtest” to be able to communicate.
What I’m seeing is pod isolation (namespace bjmtest comes up fine and if I exec into one of the pods, I cannot curl services in other namespaces) which is what I want.
But if I try to access any of my ingress routes (kubectl get ingress -n bjmtest), I either sometimes get the service or I get a 504-gateway error.
How can I have namespace isolation while at the same time allowing the ingress rules to work?